♻️ Refactored auth service for better security

2025-11-29 18:00:23 +08:00
parent 78f3873a0c
commit 00b3087d6a
13 changed files with 3121 additions and 101 deletions
--- a/DysonNetwork.Shared/Models/AuthSession.cs
+++ b/DysonNetwork.Shared/Models/AuthSession.cs
@@ -16,10 +16,18 @@ public class SnAuthSession : ModelBase
    public Guid AccountId { get; set; }
    [JsonIgnore] public SnAccount Account { get; set; } = null!;

-    // When the challenge is null, indicates the session is for an API Key
+    // The challenge that created this session
    public Guid? ChallengeId { get; set; }
    public SnAuthChallenge? Challenge { get; set; } = null!;

+    // The client device for this session
+    public Guid? ClientId { get; set; }
+    public SnAuthClient? Client { get; set; } = null!;
+    
+    // For sub-sessions (e.g. OAuth)
+    public Guid? ParentSessionId { get; set; }
+    public SnAuthSession? ParentSession { get; set; }
+
    // Indicates the session is for an OIDC connection
    public Guid? AppId { get; set; }

@@ -32,6 +40,9 @@ public class SnAuthSession : ModelBase
        Account = Account.ToProtoValue(),
        ChallengeId = ChallengeId.ToString(),
        Challenge = Challenge?.ToProtoValue(),
+        ClientId = ClientId.ToString(),
+        Client = Client?.ToProtoValue(),
+        ParentSessionId = ParentSessionId.ToString(),
        AppId = AppId?.ToString()
    };
 }
@@ -67,13 +78,14 @@ public class SnAuthChallenge : ModelBase
    [Column(TypeName = "jsonb")] public List<string> Scopes { get; set; } = new();
    [MaxLength(128)] public string? IpAddress { get; set; }
    [MaxLength(512)] public string? UserAgent { get; set; }
+    [MaxLength(512)] public string DeviceId { get; set; } = null!;
+    [MaxLength(1024)] public string? DeviceName { get; set; }
+    public ClientPlatform Platform { get; set; }
    [MaxLength(1024)] public string? Nonce { get; set; }
    [Column(TypeName = "jsonb")] public GeoPoint? Location { get; set; }

    public Guid AccountId { get; set; }
    [JsonIgnore] public SnAccount Account { get; set; } = null!;
-    public Guid? ClientId { get; set; }
-    public SnAuthClient? Client { get; set; } = null!;

    public SnAuthChallenge Normalize()
    {
@@ -94,7 +106,7 @@ public class SnAuthChallenge : ModelBase
        Scopes = { Scopes },
        IpAddress = IpAddress,
        UserAgent = UserAgent,
-        DeviceId = Client!.DeviceId,
+        DeviceId = DeviceId,
        Nonce = Nonce,
        AccountId = AccountId.ToString()
    };
@@ -110,6 +122,16 @@ public class SnAuthClient : ModelBase

    public Guid AccountId { get; set; }
    [JsonIgnore] public SnAccount Account { get; set; } = null!;
+    
+    public Proto.AuthClient ToProtoValue() => new()
+    {
+        Id = Id.ToString(),
+        Platform = (Proto.ClientPlatform)Platform,
+        DeviceName = DeviceName,
+        DeviceLabel = DeviceLabel,
+        DeviceId = DeviceId,
+        AccountId = AccountId.ToString()
+    };
 }

 public class SnAuthClientWithChallenge : SnAuthClient
--- a/DysonNetwork.Shared/Proto/auth.proto
+++ b/DysonNetwork.Shared/Proto/auth.proto
@@ -8,7 +8,7 @@ import "google/protobuf/timestamp.proto";
 import "google/protobuf/wrappers.proto";
 import "google/protobuf/struct.proto";

-import 'account.proto';
+import "account.proto";

 // Represents a user session
 message AuthSession {
@@ -20,6 +20,9 @@ message AuthSession {
  string challenge_id = 7;
  AuthChallenge challenge = 8;
  google.protobuf.StringValue app_id = 9;
+  optional string client_id = 10;
+  optional string parent_session_id = 11;
+  AuthClient client = 12;
 }

 // Represents an authentication challenge
@@ -39,6 +42,17 @@ message AuthChallenge {
  google.protobuf.StringValue nonce = 14;
  // Point location is omitted as there is no direct proto equivalent.
  string account_id = 15;
+  google.protobuf.StringValue device_name = 16;
+  ClientPlatform platform = 17;
+}
+
+message AuthClient {
+  string id = 1;
+  ClientPlatform platform = 2;
+  google.protobuf.StringValue device_name = 3;
+  google.protobuf.StringValue device_label = 4;
+  string device_id = 5;
+  string account_id = 6;
 }

 // Enum for challenge types
@@ -49,9 +63,9 @@ enum ChallengeType {
  OIDC = 3;
 }

-// Enum for challenge platforms
-enum ChallengePlatform {
-  CHALLENGE_PLATFORM_UNSPECIFIED = 0;
+// Enum for client platforms
+enum ClientPlatform {
+  CLIENT_PLATFORM_UNSPECIFIED = 0;
  UNIDENTIFIED = 1;
  WEB = 2;
  IOS = 3;
@@ -63,7 +77,7 @@ enum ChallengePlatform {

 service AuthService {
  rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse) {}
-  
+
  rpc ValidatePin(ValidatePinRequest) returns (ValidateResponse) {}
  rpc ValidateCaptcha(ValidateCaptchaRequest) returns (ValidateResponse) {}
 }
@@ -184,6 +198,7 @@ service PermissionService {
  rpc AddPermissionNode(AddPermissionNodeRequest) returns (AddPermissionNodeResponse) {}
  rpc AddPermissionNodeToGroup(AddPermissionNodeToGroupRequest) returns (AddPermissionNodeToGroupResponse) {}
  rpc RemovePermissionNode(RemovePermissionNodeRequest) returns (RemovePermissionNodeResponse) {}
-  rpc RemovePermissionNodeFromGroup(RemovePermissionNodeFromGroupRequest) returns (RemovePermissionNodeFromGroupResponse) {}
+  rpc RemovePermissionNodeFromGroup(RemovePermissionNodeFromGroupRequest)
+      returns (RemovePermissionNodeFromGroupResponse) {}
 }